vShield

• VMware® vShield is a suite of security virtual appliances built for protecting virtualized datacenters from attacks and misuse

• vShield Components– vShield Manager– vShield Zones– vShield App– vShield Edge– vShield End Point

• vShield Manager– The vShield Manager is the centralized network

management component of vShield suite and is installed from OVA as a virtual machine by using the vSphere Client.

– Using the vShield Manager user interface, administrators install, configure, and maintain vShield components

• vShield Zones• vShield Zones, included with the vShield Manager, provides firewall protection for

traffic between virtual machines

• vShield App• vShield App is an interior, vNIC level firewall that allows you to create access control ‐

policies regardless of network topology. A vShield App monitors all traffic in and out of an ESX host, including between virtual machines in the same port group. vShield App includes traffic analysis and container based policy creation.‐

• vShield Edge• vShield Edge provides network edge security and gateway services to isolate the

virtual machines in a port group, vDS port group, or Cisco® Nexus 1000V.• Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multi‐

tenant Cloud environments where the vShield Edge provides perimeter security for Virtual Datacenters (VDCs).

• vShield End Point• vShield Endpoint delivers an introspection based antivirus solution. vShield Endpoint ‐

uses the hypervisor to scan guest virtual machines from the outside without a bulky agent

vShield Zones

Firewall Rules

vShield App

• vShield App is an interior, vNIClevel firewall that allows you to create access control policies regardless of network topology. A vShield App monitors all traffic in and out of an ESX host, including between virtual machines in the same port group. vShield App includes traffic analysis and container based ‐policy creation.

vShield App

• VMware vShield App, part of the VMware vShield family of virtualization security products, protects as applications in the virtual datacenter from network based threats. vShield App gives organizations deep visibility into network communications between virtual machines and enables granular policy enforcement with security groups. The solution also eliminates the hardware and policy sprawl associated through traditional measures, resulting in a cost-effective solution that helps customers to go beyond the limitations of physical security.

Key Benfits

• Increase visibility and control over network communications between virtual machines.

• Eliminate the need for dedicated hardware• and VLANs to separate security groups from

one another.• Optimize hardware resource utilization while

maintaining strong security.• Simplify compliance with comprehensive

logging of all virtual machine network activity.

Vshield App enables Granular Policy Enforcement Using Security Groups

vShield Edge

• vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port group, vDS port group, or Cisco® Nexus 1000V.

• Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multi tenant ‐Cloud environments where the vShield Edge provides perimeter security for Virtual Datacenters (VDCs).

Consolidate edge security hardware: Provision edge security services, including firewall and VPN,

using existing vSphere resources, eliminating the need for hardware-based solutions.

Ensure performance and availability of web services: Efficiently manage inbound web traffic across virtual machine clusters with web load balancing capabilities

Accelerate IT compliance: Get increased visibility and control over security at the network edge,

with the logging and auditing controls you need to demonstrate compliance with internal policies and external regulatory requirements

vShield End Point

• vShield Endpoint delivers an introspection based antivirus ‐solution. vShield Endpoint uses the hypervisor to scan guest virtual machines from the outside without a bulky agent

Streamline antivirus and anti-malware deployment: Deploy enterprise antivirus engine and signature file to a single

security virtual machine instead of each and every individual virtual machine on a vSphere host

• Improve virtual machine performance: Securely achieve higher consolidation ratios by the same offload mechanism as described above

• Prevent antivirus storms and bottlenecks: Prevent antivirus storms and bottlenecks associated with multiple simultaneous antivirus and anti-malware scans and updates

• Protect antivirus security software from attack: Deploy and run the antivirus and anti-malware client software in a hardened security virtual machine to prevent targeted attacks